Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, the setCookie() utility did not validate semicolons (;), carriage returns (\r), or newline characters (\n) in the domain and path options when constructing the Set-Cookie header. Because cookie attributes are delimited by semicolons, this could allow injection of additional cookie attributes if untrusted input was passed into these fields. This issue has been patched in version 4.12.4.
CVSS Metrics
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
- Attack Vector
- network
- Complexity
- low
- Privileges
- none
- User Action
- required
- Scope
- unchanged
- Confidentiality
- low
- Integrity
- low
- Availability
- none
- Weaknesses
- CWE-1113NVD-CWE-Other
Metadata
- Primary Vendor
- HONO
- Published
- 3/4/2026
- Last Modified
- 3/6/2026
- Source
- NIST NVD
- Note: Verify all details with official vendor sources before applying patches.
Affected Products
hono : hono
AI-Powered Remediation
Generate remediation guidance or a C-suite brief for this vulnerability.